If I replace the root userfolder of a ZODB with an LDAP User Folder, will I still be able to grant local roles to users defined in that user folder in certain parts of the tree?
the LDAPUserFolder (and all others AFAIK) have no relation whatsoever to the local role mechanism, other than being a source of possible user IDs.
The idea here is that in a CMS, you want some people to only be able to maintain content in certain areas of the site. Am I correct in assuming that the 'official' way of doing this in Zope is to give those users an anonymous role at the root of the ZODB and then give them local roles appropriate to a content maintainer in the folders where they're allowed to maintain content?
i don't think there is an "official" way but the pattern you describe is very common, yes.
If so, how would one go about giving a group of people that content maintaining role in an area of a site? Hmmm, I guess if I could grant a 'role' the local role in those areas then I could get what I'm after.
the LDAUserFolder has no built-in idea of "grouping" people, just like most other user folders out there. AFAIK at this point the only solution is to grant the local roles to individual users.
Would NuxUSerGroups help in this area at all? Do they work with LDAPUserFolder?
no idea. i have never looked at NuxUserGroups. jens